Application Access
By default, AppStream 2.0 enables the applications that you specify in your image to launch other applications and executable files on the image builder and fleet instance. This ensures that applications with dependencies on other applications (for example, an application that launches the browser to navigate to a product website) function as expected. Make sure that you configure your administrative controls, security groups, and other security software to grant users the minimum permissions required to access resources and transfer data between their local computers and fleet instances.
You can use application control software, such as Microsoft AppLocker
Note
The AppStream 2.0 agent software relies on the Windows command prompt and Windows Powershell to provision streaming instances. If you choose to prevent users from launching the Windows command prompt or Windows Powershell, the policies must not apply to the Windows NT AUTHORITY\SYSTEM or users in the Administrators group.
| Rule type | Action | Windows user or group | Name/Path | Condition | Description |
|---|---|---|---|---|---|
| Executable | Allow | NT AUTHORITY\System | * | Path | Required for the AppStream 2.0 agent software |
| Executable | Allow | BUILTIN\Administrators | * | Path | Required for the AppStream 2.0 agent software |
| Executable | Allow | Everyone | %PROGRAMFILES%\nodejs\* | Path | Required for the AppStream 2.0 agent software |
| Executable | Allow | Everyone | %PROGRAMFILES%\NICE\* | Path | Required for the AppStream 2.0 agent software |
| Executable | Allow | Everyone | %PROGRAMFILES%\Amazon\* | Path | Required for the AppStream 2.0 agent software |
| Executable | Allow | Everyone | %PROGRAMFILES%\<default-browser>\* |
Path | Required for the AppStream 2.0 agent software when persistent storage solutions, such as Google Drive or Microsoft OneDrive for Business, are used. This exception is not required when AppStream 2.0 home folders are used. |
